b"MEMORANDUM FOR:                  ROLAND DROITSCH\n                                 Deputy Assistant Secretary\n                                  Office of the Assistant Secretary\n                                  for Policy\n\n\nFROM:                            JOHN J. GETEK\n                                 Assistant Inspector General\n                                  for Audit\n\nSUBJECT:                         OIG Results on Privacy Policies and Data Collections on DOL Web\n                                 Sites\n                                 Final Letter Report Number: 17-01-002-01-010\n\nThe Department of Labor\xe2\x80\x99s (DOL) Office of Inspector General (OIG) assessed DOL\xe2\x80\x99s policies and\npractices related to personal privacy and data collections on DOL Internet web sites, including the use\nof cookie technology.\n\nOIG, working cooperatively with the Office of Assistant Secretary for Policy (OASP), recognizes the\nDepartment and its agencies took corrective actions while OIG was performing its work to abate\nvulnerabilities related to visitors being properly notified of their privacy, security, and use of collected\npersonal identifying information. Agencies\xe2\x80\x99 actions included modifying their major entry pages and\npersonal information collection vehicles, and the related visitor notifications. Due to these ongoing\nactions, not all management actions are necessarily reflected in OIG\xe2\x80\x99s results. Your full response to the\ndraft report elaborates on this timing issue and is attached to this final report as additional information.\n\nSummary\n\nWe found the Department of Labor:\n\n        !       Has an overall governing web site management policy. Also, OASP has been assigned\n                specific agency responsibility for managing the Department\xe2\x80\x99s and agencies\xe2\x80\x99 web sites.\n                OIG has discussed the related policies with the OASP and Office of the Solicitor,\n                and was informed that these offices were coordinating to make further\n                refinements to the related web policies.\n\x0c       !       Collects and reviews personally identifiable information about individuals who access\n               and complete personal identifying collection vehicles on DOL Internet web sites. These\n               collections establish enough personal information about the visitor that can be used, for\n               example, to respond to visitors\xe2\x80\x99 requests for public interest material offered by the\n               agencies. The visitors\xe2\x80\x99 personal identifying information, based on OIG interviews\n               and tests, are not maintained for any other purpose.\n\n       !       Has one agreement with a third party to collect personal identifying visitor information.\n               The Employment Standards Administration, Office of Federal Contract Compliance\n               Programs, has an agreement with the Eastern Research Group, Inc. The purpose is to\n               conduct the Equal Opportunity Survey to obtain employment information from Federal\n               contractor establishments. The collection instrument, reportedly, is electronically\n               secured and collects only the name of the person(s) responsible for the submission of\n               the Equal Opportunity Survey. OIG does not consider this collection to be related\n               to maintaining any personal information that can be used to track any\n               individual\xe2\x80\x99s Internet access or viewing habits.\n\n       !       Has agencies interpreting the related Internet policy differently concerning the definition\n               of what constitutes major entry pages and proper visitor notifications. OIG identified\n               conditions that show multiple interpretations by DOL agencies as to the\n               implementation of the related Internet policy covering major web entry pages,\n               personal information collection vehicles, and elements of proper notifications to\n               web visitors.\n\n       !       Does not use persistent or session cookies to track personal identifying information.\n               OIG confirmed through testing and interviews that persistent cookies are not in\n               use at DOL.\n\n\nBackground\n\nUnder Section 646 of the Treasury and General Government Appropriations Act of 2001, the\nInspector General (IG) was to determine and report to Congress the extent the Department and its\nagencies are engaged in the following activities:\n\n       --      the collection or review of singular data, or the creation of aggregate lists that include\n               personal identifiable information, about individuals who access any Internet site of the\n               Department or agency; and\n\n       --      the entering into agreements with third parties, including other government agencies, to\n               collect, review, or obtain aggregate lists or singular data containing personal identifiable\n               information relating to any individual's access or viewing habits for governmental and\n               nongovernmental Internet sites.\n\n                                                   -2-\n\x0cDOL\xe2\x80\x99s governing policies are found in Department of Labor Manual Series (DLMS) - 9,\nChapter 1500, Privacy Policy on Data Collection Over Department of Labor Web Sites, which\nbecame effective on December 22, 2000.\n\nThe following key definitions from the Department\xe2\x80\x99s governing policy were used in assessing the\nDepartment\xe2\x80\x99s and agencies\xe2\x80\x99 compliance:\n\n        Major Entry Page -               is a primary agency web page that acts as a portal to other web\n                                         pages. It includes the agency\xe2\x80\x99s home page; a server home\n                                         page; a page advertised to the public in pamphlets, brochures,\n                                         or press releases; major topical and program home pages; and\n                                         any other DOL portal page or web site main page.\n\n        Personal Identifying\n         Information -          refers to any information that can be used to ascertain the identity of an\n                                individual. Examples include name, address, telephone number, and\n                                social security number.\n\n        Personal Information\n         Collection Vehicles - refers to forms, questionnaires, and solicitation for the submission of\n                               personal identifying information from the public on the DOL Public\n                               Web Site. Except for personal information collection vehicles targeted\n                               at children (see Section 8g), for the purposes of this definition and\n                               policy, excluded are general contact links (i.e., HTML \xe2\x80\x9cmail to\xe2\x80\x9d links),\n                               which do not request specific information including Webmaster,\n                               comment, or suggestion links.\n\n        Cookie -                         is data used to establish and maintain a dialog between the user\n                                         and the web server and/or track the activities of a user through\n                                         the web site. There are primarily two types: persistent cookies\n                                         and session cookies. Persistent cookies are stored on a user\xe2\x80\x99s\n                                         hard drive and typically have a longer life, based on expiration\n                                         date, than session cookies, which are stored in a browser\xe2\x80\x99s\n                                         memory and are discarded after exit from the browser.\n\nMethodology and Scope\n\nIn cooperation with the OASP, OIG performed an assessment of the Department\xe2\x80\x99s and agencies\xe2\x80\x99\nInternet web activities by performing a survey, compiling survey results, and testing selected web sites.\nThe assessment was performed using criteria found in: Federal guidance - OMB Memorandum, M-\n00-13, Privacy Policies and Data Collection on Federal Web Sites; and DOL policy - Secretary\xe2\x80\x99s\n\n                                                   -3-\n\x0cOrder 2-2000, U.S. Department of Labor Internet Services, and\nDLMS - 9, Chapter 1500, Privacy Policy on Data Collection Over Department of Labor Web Sites.\n\nThe assessment covered the period of January 16, 2001 to February 20, 2001. During this period,\nOIG interviewed DOL Webmasters and other responsible officials in the following agencies:\nEmployment Standards Administration (ESA), Employment and Training Administration (ETA), Mine\nSafety and Health Administration (MSHA), Occupational Safety and Health Administration (OSHA),\nOIG, and OASP. Using judgmental selection, OIG tested 143 DOL web pages to assess agencies\xe2\x80\x99\nInternet web management practices related to current guidance and policy.\n\nAssessment Results\n\nWeb Page Test Results - OIG initially selected 148 DOL web pages for testing. The OIG found five\npages did not meet the definition of a major entry page, and, therefore, they were omitted from the\ntesting. The 143 web pages tested included several types of major entry pages and consisted of the\nfollowing number of each type:\n\n        !        4 Server Default Pages                        !       35 Topical Home Pages\n        !        7 Agency Home Pages                           !       24 Region Home Pages\n        !        19 Program Home Pages                         !       21 Advertised Pages\n        !        21 Main Menu Pages                            !       7 Data Collection Vehicles\n        !        5 Children\xe2\x80\x99s Home Pages\n\nEach of the 143 web pages was tested for proper privacy, security, and cookie use notifications, and\nnotifications involving use of personally identifiable information. The following test results show various\ndegrees of implementation and interpretation of DOL\xe2\x80\x99s related policy.\n\n\n                                      RESULTS OF TESTING (1)\n\n                Number\n            of Occurrences (2)                          Characteristics\n\n                    33                (A) Privacy and Security Statement complies with policy\n                    24                (B) Privacy and Security Statement exists but did not contain the\n                                         \xe2\x80\x9cCookie Use Notice\xe2\x80\x9d\n                    70                (C) Privacy and Security Statement does not exist\n                    22                (D) Privacy and Security Statement does not conform to DOL\xe2\x80\x99s\n                                         model language (Occurs in four agencies)\n                    15                (E) Privacy and Security Statements were found on secondary web\n                                          pages\n                    1                 (F) Privacy Policy icon (button) exists, but page could not be found\n\n  (1) Results may not reflect recent changes made by the Department and agencies during this assessment.\n  (2) Some individual pages tested resulted in identification of multiple characteristics, i.e., (B) & (D).\n\n\n\n                                                         -4-\n\x0cWe found in testing agency web sites for personal information collection vehicles, five agencies (BLS,\nESA, ETA, MSHA, and OSHA) had personal information collection vehicles and the Department\xe2\x80\x99s\npolicy should apply to each. Of the collection vehicles tested, only MSHA\xe2\x80\x99s collection vehicle\ncomplied with DOL\xe2\x80\x99s policy.\n\nAlso identified was the Employment Standards Administration, Office of Federal Contract Compliance\nPrograms\xe2\x80\x99agreement with the Eastern Research Group, Inc. The purpose is to conduct the Equal\nOpportunity Survey to obtain employment information from Federal contractor establishments. The\ncollection instrument, reportedly, is electronically secured and collects only the name of the person(s)\nresponsible for the submission of the Equal Opportunity Survey. OIG does not consider this\ncollection to be related to any individual\xe2\x80\x99s Internet access or viewing habits.\n\nInterview Results - OIG interviewed the agencies\xe2\x80\x99 Webmasters and other responsible officials in the\nfollowing agencies: ESA, ETA, MSHA, OSHA, OIG, and OASP. OASP is the responsible agency\nfor the overall management of DOL\xe2\x80\x99s web sites as well as the agency that maintains the Department\xe2\x80\x99s\nweb server and other agency web sites.\n\nInterviews were performed to get agency perspectives on cookie usage, implementation of privacy\nstatement policies, and use of data collection vehicles. Information from the interviews included:\n\n        --      Several instances of past persistent cookie usage were promptly addressed by officials\n                when it was brought to their attention. In most cases, the persistent cookies were being\n                created by new or updated versions of web server software with default settings to\n                create them. Agency officials promptly instituted procedures for reviewing default\n                settings upon all updates of software.\n\n        --      Agencies do not currently use persistent or session cookies to track personal identifying\n                information. However, agencies can use persistent cookies but must justify the need\n                and obtain OASP approval prior to their use.\n\n        --      All web developers indicated they were aware of the DLMS - 9, Chapter 1500,\n                policy.\n\n        --      Agencies did not have specific policies or procedures in place to perform internal\n                reviews for compliance, but all Webmasters and officials interviewed indicated they\n                perform thorough examinations of their web sites.\n\n        --      Agencies\xe2\x80\x99 major points of entry are to include press releases, pamphlets and brochures,\n                but officials were unable to say whether the agencies always follow the practice.\n\n\n\n\n        --      Not all agencies agreed with the Department\xe2\x80\x99s policy to cover web pages that can be\n\n\n                                                   -5-\n\x0c                reached below agency and top program level pages. However, one agency, MSHA,\n                indicated it uses the web server software to identify lower pages with significant entry\n                traffic. MSHA noted that it also includes a link to a privacy statement on all web pages\n                as a default setup for development.\n\n        --      The privacy statement being used by the agencies differs by agency. Most agencies use\n                the DOL privacy statement as a model; however, some agencies have homegrown\n                statements that may not be in full compliance with the model statement.\n\nRecommendation\n\nOIG recommends the Assistant Secretary for Policy clarify and strengthen its policy, DLMS - 9,\nChapter 1500, to better facilitate consistent implementation across the Department\xe2\x80\x99s and agencies\xe2\x80\x99 web\nsites and perform related assessments of the agency web sites.\n\nWe appreciate the professionalism and assistance you and your staff provided in responding to this high\npriority congressional mandate. Should you have any questions related to this effort, please call Robert\nW. Curtis (693-7001) or Keith E. Galayda (693-5259).\n\nAttachment\n\n\n\n\n                                                  -6-\n\x0c"